b'                                  Executive Summary\n\n                                  Information Technology Security Controls over\n                                  FDICconnect\n                                                                              Report No. AUD-10-002\n                                                                                     December 2009\n\nWhy We Did The Audit\n\nThe FDIC Office of Inspector General (OIG) contracted with KPMG LLP (KPMG) to conduct\nan audit of FDICconnect.\n\nThe objective of the performance audit was to assess the FDIC\xe2\x80\x99s information technology (IT)\nsecurity controls over FDICconnect that are designed to ensure the confidentiality, integrity, and\navailability of the system. Specifically, the audit assessed selected IT security controls\npertaining to the core functionality and selected business transactions of FDICconnect.\n\n\nBackground\n\nFDICconnect is a Web-based application that allows FDIC-insured financial institutions to\nconduct business and exchange sensitive information (including privacy data) with the FDIC,\nother federal regulatory agencies, and state banking departments. FDICconnect is one of the\nmost widely used Web-based applications at the FDIC.\n\nKPMG used security standards and guidelines issued by the National Institute of Standards and\nTechnology (NIST) as its principal criteria in performing the audit.\n\n\nAudit Results\n\nKPMG found that the FDIC had established and implemented a number of important information\nsecurity controls over FDICconnect that are designed to ensure the confidentiality, integrity, and\navailability of the system. Such controls include written information security policies and\nprocedures in substantially all of the areas that KPMG reviewed; key planning documents, such\nas an application security plan, contingency plan, and configuration management plan; and\nstrong network perimeter security controls that include firewalls, an intrusion detection system,\nand monthly scanning of FDICconnect servers to detect missing security patches and other\nsecurity vulnerabilities. Further, the Division of Information Technology (DIT) had certified and\naccredited FDICconnect using a methodology consistent with NIST security standards and\nguidelines.\n\nThe above accomplishments are notable. However, KPMG identified several security control\ndeficiencies warranting management attention. Specifically, DIT needed to strengthen its\nconfiguration management controls for FDICconnect by ensuring that source code in the\nproduction computing environment and the FDIC\xe2\x80\x99s corporate software repository are consistent\nand properly documented. DIT also needed to review FDICconnect user accounts in the\nMicrosoft Windows\xc2\xae Active Directory\xc2\xae and disable or delete accounts that are no longer\n\x0c  Executive Summary\n                                  Information Technology Security Controls over\n                                  FDICconnect\n                                                                             Report No. AUD-10-002\n                                                                                    December 2009\n\nneeded. Further, DIT needed to update the security plan and contingency plan for FDICconnect\nto address changes in the application\xe2\x80\x99s technology and functionality. KPMG\xe2\x80\x99s report contains\nfive recommendations to address these security control deficiencies.\n\nKPMG\xe2\x80\x99s report includes one additional recommendation intended to improve the FDIC\xe2\x80\x99s Risk\nManagement methodology. Specifically, DIT should review and revise (where appropriate) its\nrisk assessment methodology to help ensure that risks associated with electronic transactions\ninvolving the Internet are fully considered.\n\n\nManagement\xe2\x80\x99s Response\n\nOn December 4, 2009, the Director, Division of Information Technology (DIT), provided a\nwritten response to the draft report. DIT concurred with the recommendations, and its actions\nand planned actions are responsive.\n\nBecause this report addresses issues associated with information security, we do not intend to\nmake public release of the specific contents of the report.\n\x0c'